FireCloud Integration with Duo and Active Directory

This document describes how to set up multi-factor authentication (MFA) for FireCloud with Duo and Active Directory.

Contents

WatchGuard FireCloud Authentication Data Flow with Duo and Active Directory

Duo communicates with various cloud-based services and service providers using the SAML protocol. This diagram shows the data flow of an MFA transaction for FireCloud.

The screenshot of workflow topology

Before You Begin

Before you begin these procedures, make sure that:

  • You have a Duo administrator account
  • You have configured a server to host the Duo Authentication Proxy
  • You have service account credentials for the Active Directory
  • You have a domain that can be managed by your DNS hosting provider to verify the authentication user email domain with a .TXT record
  • A token is assigned to a user in Duo mobile
  • You have a WatchGuard Cloud account

Additional charges might apply to use Duo.

Configure Duo

To configure Duo, complete these steps:

  1. Configure Active Directory for Duo SSO.
  2. Synchronize Users from Active Directory to Duo.
  3. Create a SAML Application in Duo.

Configure Active Directory for Duo SSO

The Duo Authentication Proxy receives authentication requests and performs primary authentication against Active Directory, then performs secondary authentication with Duo.

To configure Active Directory for Duo SSO:

  1. Install and configure Duo Authentication Proxy on your local network.
  2. Make sure the Authentication Proxy is connected to your directory domain.
  3. Configure Active Directory to authenticate with Duo Single Sign-On.
  4. To make sure your users log in to the correct sign-on account, add one or more Permitted Email Domains.
    Each Permitted Email Domain requires ownership verification.
  5. To test your Active Directory configuration, before you save the configuration, connect to Authentication Proxies.

For more information about how to configure Active Directory with Duo Single Sign-on, go to the Duo Single Sign-On documentation.

After you configure Active Directory for Duo SSO, the status of the Active Directory Authentication Resource in Duo is Enabled.

Screenshot of Duo, Single Sign-On page

Synchronize Users from Active Directory to Duo

Before you synchronize users from Active Directory to Duo, make sure that:

  • You install and configure Duo Authentication Proxy on your local network.
  • You configure the Active Directory in Duo.
  • The status of the Active Directory Authentication resource in Duo is Enabled.

You can sync the complete Active Directory, or the individual users, from Active Directory to Duo. To view the synchronized users or groups in Duo, go to the Users or Groups page.

The users you sync to Duo must have an email address with Permitted Email Domains verified in the Duo SSO configuration.

For more information about how to sync users from Active Directory to Duo, go to Active Directory Sync for Duo Users and Admins.

For more information about how to enroll users and activate Duo Mobile, go to Enroll Users.

Screenshot of Duo, External Directories page

Create a SAML Application in Duo

Before you configure the service provider application, make sure you Configure Active Directory for Duo SSO and Synchronize Users from Active Directory to Duo.

To create a SAML application in Duo:

  1. Log in to the Duo Admin Panel.
  2. From the navigation menu, select Applications > Protect an Application.
    The Protect an Application page opens.

    3. Screenshot of Duo, Protect an Application page

  3. In the Application list, next to Generic SAML Service Provider, click Protect.
    The Generic SAML Service Provider - Single Sign-On page opens.

    4. Screenshot of Duo, Generic SAML Service Provider page

  4. From the Metadata section, copy the Entity ID and Single Sign-On URL values. You need this information when you configure FireCloud.
  5. From the Downloads section, click Download certificate to download the certificate. You need this certificate when you configure FireCloud.
  6. Scroll down to the Service Provider section.
  7. From the Metadata Discovery drop-down list, select None (manual input).
  8. In the Entity ID text box, type any value. Note this value. You need this service provider Entity ID when you configure FireCloud.
  9. In the Assertion Consumer Service (ACS) URL text box, type https://authsvc.firecloud.your WatchGuard Cloud region.cloud.watchguard.com/v1/acs.

    To find your account region, log in to WatchGuard Cloud and go to Administration > My Account. Your region is listed under the Data Zone heading. To get the associated region code, refer to WatchGuard Cloud URLs and Network Access Requirements.

    10. Screenshot of Duo, SSO Service Provider config

  10. Scroll down to the SAML Response section.
  11. In the Create attributes section, in the Name text box, type groups.
  12. In the Value text box, and type User groups.

    13. Screenshot of Duo, SAML Attributes

  13. Keep the default values for all other settings.
  14. Scroll down to the bottom of the page, and click Save.

Configure FireCloud

To configure SSO for FireCloud:

  1. Log in to WatchGuard Cloud with your WatchGuard Cloud operator account credentials.
    If you log in with a Service Provider account, you must select a Subscriber account from the Account Manager.
  2. From the navigation menu, select Configure > FireCloud.
  3. Click Set Up FireCloud.
  4. Select Connect to Your Identity Provider.

    5. Screenshot of FireCloud, configure SAML identity provider

  5. In the SAML Service Provider Entity ID text box, type the Entity ID value that you defined in the previous section.
  6. In the Identity Provider ID text box, type or paste the Entity ID value you copied from Duo in the previous section.
  7. In the Single Sign-On URL text box, type or paste the Single Sign-On URL value you copied from Duo in the previous section.
  8. In the IDP Certificate text box, click the upload icon and upload the certificate you downloaded from Duo in the previous section.

    9. Screenshot of FireCloud, FireCloud authentication config

  9. Click Save.
  10. Click Done.
  11. From the FireCloud navigation menu, select Client Download > Download Installer.

    12. Screenshot of FireCloud, firecloud client download

  12. Run the client installer on your Windows computer.
  13. Click Install. The installation of the WatchGuard Agent can take several minutes.
  14. When the installation is complete, click Finish.
  15. After the WatchGuard Agent is installed, the agent automatically downloads and installs the Connection Manager. When this is finished, the Connection Manager opens and you are prompted to enter your credentials to connect to FireCloud.

    Caution: You cannot install the WatchGuard Connection Manager on computers that have Panda endpoint security products installed. The WatchGuard Connection Manager is only compatible with WatchGuard Endpoint Security products.

Test the Integration

To test Duo MFA with your WatchGuard FireCloud, you can choose Push notification, Passkey, or Phone call.

In this example, we show the Duo Push notification method.

  1. Open the WatchGuard Connection Manager.
  2. In the Email Address text box, enter the email address associated with your Active Directory user account.

    3. Screenshot of WatchGuard Connection Manager, login authenticate page

  3. Click Next.
  4. In the Password text box, type your user password.
  5. Click Log in.
    The verification code is displayed on your login screen.
  6. Enter the verification code in your Duo Mobile app, then click Verify.
    Successfully connected to FireCloud.